Practical Cryptography and Security Concepts for Developers

DEVOPS Zirvesi 2017 Practical Cryptography and Security Concepts for Developers Gökhan Şengün Ar-Ge Yeni Ürün Geliştirme Müdürü @gokhansengun gokhansengun@gmail.com www.gokhansengun.com

DEVOPS Zirvesi 2017 Practical Cryptography and Security Concepts for Developers

DEVOPS Zirvesi 2017 Agenda Motivation and History Cryptographic Hash Functions Secure Storage of Secrets Symmetric Encryption Asymmetric Encryption PKI and Digital Signatures Techniques and Use Cases

DEVOPS Zirvesi 2017 !! DISCLAIMER !! I am neither a cryptographist nor a security professional, just a curious coder who implemented several techniques that will be discussed in the talk. Please consult to a security professional in implementing any of the techniques mentioned.

DEVOPS Zirvesi 2017 Motivation And History

DEVOPS Zirvesi 2017 Scope and Aim of the Talk Understanding the basics of the cryptography in order to understand practical implementations Learning the concepts and the techniques Learning how they apply to our daily lives Not about understanding how the techniques implemented mathematically We will just call mathematical background as “magic” and do not enter that territory Motivation and History

DEVOPS Zirvesi 2017 History Cryptography is 4000 years old Julius Caesar (BC 100) used it too Today what is known as Caesar Cipher or Shift Cipher Motivation and History https://learncryptography.com/classical-encryption/caesar-cipher

DEVOPS Zirvesi 2017 History Ceaser Cipher was ok until people find out how it works Then emerged Substitution Cipher Motivation and History http://www.stealthcopter.com/blog/2009/12/python-cryptography-substitution-cipher-improving-on-the-caesar-cipher/

DEVOPS Zirvesi 2017 History Substitution Cipher was also ok until again people find out how it works Then emerged Vigenere Cipher Motivation and History Message: THIS IS ONLY A TEST Key: CRYPTCRYPTCRYPTCRYP Encryption: VYFGSKIXCFNOXPSVVPH

DEVOPS Zirvesi 2017 Some Useful Functions Provided by Cryptography Confidentiality Integrity Authenticity Non-Reputability These will help us classify problems and match with solutions Motivation and History

DEVOPS Zirvesi 2017 Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Popular Hash Functions MD5 SHA1 SHA256 SHA512 Example Cryptographic Hash Functions “SC Turkey” SHA-1 98bdf215e96120c968120700ee4952c9fc5b40a7 20 Bytes

DEVOPS Zirvesi 2017 Summary Verify authenticity of a piece of data Produce a fixed-length (a few bytes) output called “checksum” or “digest” irrespective of the input data length Impossible to retrieve original data just looking at the output Generate different output for different data Generate the same output for the same data Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Conversion of the Checksum (Digest) data Checksums are binary and they are GENERALLY converted to Hex like below Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Authenticity of Data Use Case #1: You downloaded an ISO file (Ubuntu 16.04.1) via Torrent or an insecure medium You would like to make sure that the file is not altered by someone else Demo Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Authenticity of Data Use Case #2: (DO NOT USE IN PRODUCTION) You want to keep user’s password in the DB to use in authenticating your users But you do not want to store it directly So you store password’s hash in the DB Every time the user is logging in, you compare the hash of provided password and the one in DB Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Authenticity of Data Other Use Cases: Git uses SHA-1 hashes of the objects (blob, commit, tree) to ID them You can calculate hashes of your caches in order to evict and update them You can calculate hashes to version your data just like how Git does Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Authenticity of Data – The Risk The Rainbow Tables Precomputed tables for reversing Cryptographic Hash Functions So do not just hash the passwords and keep them in the DB. LinkedIn made this mistake in 2012 and 167M password hashes leaked 117M of 167M could be cracked Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Hash Collusion Cryptographic Hash Functions promise NOT to produce same output for different input. Hash Collusion occurs if they do not keep their promise :-) Hash algorithm is considered broken if a Hash Collusion is found MD5 was broken for years (since 2007) SHA-1 was broken on 23 Feb 2017!! It required 6610 years of processor time to do it Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Hashed Message Authentication Code (HMAC) What if we would like to carry the checksum with the message itself? Cryptographic Hash Functions

DEVOPS Zirvesi 2017 HMAC – Sending a Message Cryptographic Hash Functions Graphics From: https://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-7-sect-4.html

DEVOPS Zirvesi 2017 HMAC – Validating a Message Cryptographic Hash Functions Graphics From: https://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-7-sect-4.html

DEVOPS Zirvesi 2017 Hashed Message Authentication Code (HMACs) Meaningful if the data Transmitted is constantly changing is not confidential integrity is important Use case example: NTP (Network Time Protocol) – time sent in plain text but its authenticity is checked Shared HMAC key needs to be “somehow” shared between parties Cryptographic Hash Functions

DEVOPS Zirvesi 2017 Secure Storage of Secrets (e.g. Password)

DEVOPS Zirvesi 2017 Summary We have shown that taking the hash of the secrets (e.g. password) and keep it in the DB was not a good idea It has never been a good idea and had LinkedIn embarrassed for years since 2012 So what should be the way to go? Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #1: Keep secret (password) in plain text Pros/Cons: This is definitely not an option When an attacker breaches the database (by SQL injection or any other way), s/he can retrieve all of your passwords Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #2: Encrypt passwords with a symmetric key in storing and retrieving Pros/Cons: Passwords are not in plain text When the database and the secret key are breached, all of the passwords could be cracked It is very difficult to keep the secret key really secret and safe Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #3: Use hashing function on the password but now multiple times (like 1000 times) Hash = sha1(sha1(sha1(…))) Pros/Cons: Passwords are not in plain text Still vulnerable to rainbow attacks Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #4: Salting Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #4: Salted Hashes (depiction) Secure Storage of Secrets Password Salt Cryptographic Hash Function d1d3ec2e6f20fd420d50e2642992841d833 8a314b8ea157c9e18477aaef226ab

DEVOPS Zirvesi 2017 Options Option #4: Use hashing function with a salt in addition to the password Pros/Cons: Passwords are not in plain text Salted hashing produce different hashes even for the same passwords Safe against rainbow attack but not that good against brute force attack Modern GPUs can calculate billions of hashes per second Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #5: Make salted hashes secure by iterations (like 1000), Password Based Key Derivation Functions (PBKDF2) Pros/Cons: Passwords are not in plain text One of the state of the art secure methods in the town Requires lots and lots of CPU cycles Could be used for DOS attacks Secure Storage of Secrets

DEVOPS Zirvesi 2017 Options Option #5: PBKDF2 (depiction) Secure Storage of Secrets Salt # of iteration PBKDF2 d1d3ec2e6f20fd420d50e2642992841d833 8a314b8ea157c9e18477aaef226ab Password

DEVOPS Zirvesi 2017 PBKDF2 is fine but how many iterations are secure? Moore’s Law: Overall processing power of computers will double every two years So your iterations should be doubled every two years Example: AspNetCore.Identity uses a default value of 1000 for PBKDF2 as per Rfc2898 https://github.com/aspnet/Identity/blob/5480aa182bad3fb3b729a0169d0462873331e306/src/Microsoft.AspNetCor e.Identity/PasswordHasher.cs#L113 Secure Storage of Secrets

DEVOPS Zirvesi 2017 Symmetric- Key Encryption

DEVOPS Zirvesi 2017 Summary An encryption system in which the sender and receiver of a message shares a single, common key that can encrypt and decrypt the message Symmetric-Key Encryption http://etutorials.org/Networking/Wireless+lan+security/Chapter+2.+Basic+Security+Mechanics+and+Mechanisms/Security+Mechanics/

DEVOPS Zirvesi 2017 Characteristics Also called Secret Key Encryption Provides very fast and secure encryption Key sharing (distribution) is a big problem Communication is cracked as a whole if the key is compromised Key size relates to the strength of the algorithm Types DES (Data Encryption Standard) Triple DES AES (Advanced Encryption Standard) Symmetric-Key Encryption

DEVOPS Zirvesi 2017 Asymmetric-Key Encryption

DEVOPS Zirvesi 2017 Summary An encryption system having a pair of keys where the data encrypted with one key can only be decrypted with the other Asymmetric-Key Encryption https://msdn.microsoft.com/en-us/library/ff647097.aspx

DEVOPS Zirvesi 2017 Characteristics Also called Public Key Cryptography Attempts to solve biggest problem of Symmetric-Key Encryption namely Key Sharing (distribution) Both parties have a private and public keys where public key is distributed to anyone and private key remains secret Provides slow but secure encryption Not feasible to be used alone in encrypted communication due to expensive nature usually closes the gap of Symmetric-Key Encryption Asymmetric-Key Encryption

DEVOPS Zirvesi 2017 Types RSA (Rivest, Shamir, Adelman) Cryptosystem ElGamal Cryptosystem Elliptic Curve Cryptography RSA is the widely known and used one Each party generates a pair of keys (public and private) RSA is based on the practical difficulty of factoring the product of two large prime numbers Asymmetric-Key Encryption

DEVOPS Zirvesi 2017 PKI and Digital Signatures

DEVOPS Zirvesi 2017 Summary A public key infrastructure (PKI) supports Distributing public encryption keys Identifying public encryption keys Securing exchange of data over untrusted networks (such as the Internet) Verifying the identity of the other party PKI (Public Key Infrastructure)

DEVOPS Zirvesi 2017 Distributing public encryption keys Identifying public encryption keys Securing exchange of data over untrusted networks (such as the Internet) Verifying the identity of the other party PKI (Public Key Infrastructure)

DEVOPS Zirvesi 2017 Digital Signatures – Summary Provides Integrity and Non-Reputability Just like HMACs but with Asymmetric Keys (so no problem with distributing the secret key) Remember how it was with HMAC first below PKI (Public Key Infrastructure) https://msdn.microsoft.com/en-us/library/ff647097.aspx

DEVOPS Zirvesi 2017 Creating a Digital Signature PKI (Public Key Infrastructure) https://www.signinghub.com/oldelectronic-signatures-draft/

DEVOPS Zirvesi 2017 Verifying a Digital Signature PKI (Public Key Infrastructure) https://www.signinghub.com/oldelectronic-signatures-draft/

DEVOPS Zirvesi 2017 Digital Certificates – Summary Provides Authenticity, simple but the missing feature CA (Certification Authorities) guarantees the validity of information in the certificate by signing it Digital Certificates contains Public Key of the identity for which the certificate is issued Therefore solving the key distribution problem PKI (Public Key Infrastructure)

DEVOPS Zirvesi 2017 Obtaining a Digital Certificate PKI (Public Key Infrastructure) https://msdn.microsoft.com/en-us/library/ff647097.aspx

DEVOPS Zirvesi 2017 Verifying a Digital Certificate (Chain) PKI (Public Key Infrastructure) https://sites.google.com/site/ddmwsst/digital-certificates

DEVOPS Zirvesi 2017 Techniques and Use Cases

DEVOPS Zirvesi 2017 HTTPS HTTPS is nothing but plain HTTP with SSL/TLS handshake Any TCP-based protocol can be secured with SSL/TLS Examples: HTTPS, FTPS, SMTPS, NTPS So let’s look at SSL and SSL Handshake Techniques and Use Cases

DEVOPS Zirvesi 2017 SSL/TLS SSL/TLS is secure handshake protocol that provides encryption on the transport (TCP) layer Provides Confidentiality and Data Integrity SSL (Secure Socket Layer) is superseded by TLS (Transport Layer Security) SSL is still referred to in docs and APIs although obsoleted long time ago If somebody says SSL, s/he is probably meaning TLS Techniques and Use Cases

DEVOPS Zirvesi 2017 SSL/TLS Handshake Techniques and Use Cases

DEVOPS Zirvesi 2017 Cipher Suites A collection of symmetric and asymmetric encryption algorithms grouped together to be used in determining common set of a suite Techniques and Use Cases

DEVOPS Zirvesi 2017 HTTP – MITM (Man in the Middle) Attack Techniques and Use Cases

DEVOPS Zirvesi 2017 HTTP – MITM Attack Examples Great China DDoSed Github Tunusia Telco recorded Facebook passwords in login page Your ISP (telco) for AKK (Adil Kullanım Kotası) message Free WiFi hotspots using “Captive Portals” Yourself when using a HTTP proxy like Fiddler, Burp Suite Your employer if using a corporate HTTP proxy Techniques and Use Cases

DEVOPS Zirvesi 2017 HTTPS – Why is it important? Confidentiality Communication is private Integrity No intermediary can modify the content Authenticity Client may validate server’s identity Server may validate client’s identity (Not used) So HTTPS everything - Techniques and Use Cases

DEVOPS Zirvesi 2017 HTTPS – Any disadvantages? Requires more CPU cycles (< %2) Increase page load time (due to SSL negotiation < %3) Obsolete with HTTP/2 adoption Techniques and Use Cases

DEVOPS Zirvesi 2017 Let’s Encrypt Digital certificates are issued for free (sponsored) Need to demonstrate the control over the domain Uses Certbot to issue and auto-renew certs Certificates issued for only 3 months https://certbot.eff.org https://github.com/certbot/certbot Techniques and Use Cases

DEVOPS Zirvesi 2017 Self-signed Certificates Techniques and Use Cases

DEVOPS Zirvesi 2017 Self-signed Certificates Certificate is signed by own private key hence self- signed Best for development Beneficial in internal use where certificate stores of computers are reachable Beneficial in an isolated network Might loose value after Let’s Encrypt adoption Very easy to generate with OpenSSL Just provide X.509 attributes in the CSR Demo Techniques and Use Cases

DEVOPS Zirvesi 2017 SSL/TLS Tools OpenSSL A full-blown crypto library Also includes a TLS api https://badssl.com Observe browser behaviors on SSL/TLS vulnerabilities https://www.ssllabs.com/ssltest/ Analysis on your SSL Techniques and Use Cases

DEVOPS Zirvesi 2017 SSH (Secure SHell) Techniques and Use Cases http://sebastien.saunier.me/blog/2015/05/10/github-public-key-authentication.html

DEVOPS Zirvesi 2017 VPN Stands for Virtual Private Network Creates an encrypted tunnel between two points on the insecure medium (internet) IPSec VPNs provide Network Layer (IP) Security IPSec VPNs may require 3rd party HW and/or SW to work which provide additional security SSL VPNs rely on browser capability, everybody has browsers so everybody has client SW Techniques and Use Cases

DEVOPS Zirvesi 2017 Perfect Forward Secrecy What if all the SSL/TLS traffic is recorded for years and after the private key is obtained All the traffic could be decrypted Perfect Forward Secrecy attempts to solve this by using ephemeral private keys and rotate them time to time to overcome this issue Good old Diffie-Hellman key exchange algorithm to the rescue RSA private key could still be used in accomplishing authenticity while DH is used for determining the shared secret Techniques and Use Cases

Practical Cryptography and Security Concepts for Developers

More Related Content

What's hot

Similar to Practical Cryptography and Security Concepts for Developers

Recently uploaded

Practical Cryptography and Security Concepts for Developers

Editor's Notes